The EFF pages don't explain how it works. But I know Peter and his work so my guess is that he is using the fact that most Web servers that have a certificate installed will allow access to any of the Web sites hosted on the machine via SSL. He has suggested this approach several times in the past at any rate and it is the only model that fits the circumstances,

So BoingBoing.net would not need a certificate for its own site if it is co-hosted on a machine with bigshoppy.com which has a certificate for accepting credit card payments.

This is very close to a model that the IETF has been working on called promiscuous security. It does have certain advantages as a defense against the black arts of the NSA. But like Bruce Schneier points out, brakes are good but if you think your brakes are better than they are, you are likely to find they cause you to crash when they fail.

What Peter is giving up here is authentication. Which means that he is only providing protection against passive surveillance. He is not really providing protection for WiFi as stated in the article.

There are models that could extend the scheme to provide some degree of authentication. One of them is DANE. Unfortunately that is rather compromised by the fact that it is built on DNSSEC and the US government has defacto control over the DNSSEC root. That does not enable an actual attack but has led several of the governments we are most worried about to strip out DNSSEC data at their national firewalls.

I have proposed a scheme called Omnibroker which could be used to address the authentication gap through a heuristic approach. But my focus right now is end-to-end email security.

Incidentally the IETF is meeting in London at the end of the month and we are discussing these very issues.

That's right, it's time for Pedantry!! When a thing is key to the thing being described, it's pretty much met and surpassed the "important" mark, thereby eliminating the need to include it in the phrase, wouldn't you say? This is a very critically importantly crucially super-duper key thing to remember.Thank you and have a nice day.

I've never really gotten the point of the app, all it's doing is checking to make sure you are using https on a site that has it available. Which a site would likely have redirectors to make sure you are using it if they care anything about security.Http-everywhere makes it sound like they are actually encrypting you... everywhere, which is totally misleading.

Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by using a clever technology to rewrite requests to these sites to HTTPS

Doesn't seem deceptive to me and I appreciate the free extension because it can cover more bases as they explain above.